Sign In

Communications of the ACM

ACM News

Corrupted Open Source Software Enters the Russian Battlefield

View as: Print Mobile App Share:

Node-ipc is present in many programs. This nodejs module is used for local and remote InterProcess Communication (IPC) on Linux, Mac, and Windows systems. It's also used in the very popular vue-cli, a Javascript framework for building Web-based user inter


It started as an innocent protest. Npm, JavaScript's package manager maintainer RIAEvangelist, Brandon Nozaki Miller, wrote and published an open-code npm source-code package called peacenotwar. It did little except add a protest message against Russia's invasion of Ukraine. But then, it took a darker turn: It began destroying computers' file systems. 

To be exact, Miller added code that would delete the file system of any computer with a Russian or Belorussian IP address. Then, its maintainer added the module as a dependency to the extremely popular node-ipc mode. Node-ipc, in turn, is a popular dependency that many JavaScript programmers use. And it went from annoying to a system destroyer. 

The code has undergone several changes since it first appeared, but it must be regarded as highly dangerous. Underlining its potential for damage, Miller encoded his code changes in base-64 to make it harder to spot the problem by simply reading the code.

From ZDNet
View Full Article



No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account